Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36975

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.

CVE
#sql#vulnerability#web#ios#android#windows#google#java#ldap#auth#wifi

Release Information: Product: AvalanchePremise_6.3.4 Description: Avalanche Premise 6.3.4 for Windows Version: v6.3.4.153 Notes: Avalanche 6.3.4 Release What’s New in This Version: Support for Battery Campaigns in Neurons Support for Device Actions in Neurons User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Fixes: Fix to address CVE-2021-44228 Fix to address CVE-2022-22965 Fix to address ZDI-CAN-15301 Fix to address ZDI-CAN-15328 Fix to address ZDI-CAN-15329 Fix to address ZDI-CAN-15330 Fix to address ZDI-CAN-15332 Fix to address ZDI-CAN-15333 Fix to address ZDI-CAN-15449 Fix to address ZDI-CAN-15493 Fix to address ZDI-CAN-15528 Fix to address ZDI-CAN-15919 Fix to address ZDI-CAN-15966 Fix to address ZDI-CAN-15967 ******************************************************************************* ******************************************************************************* Release Information: Product: AvalanchePremise_6.3.3 Description: Avalanche Premise 6.3.3 for Windows Version: v6.3.3.101 Notes: Avalanche 6.3.3 Release What’s New in This Version: User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Android Enterprise Restrictions Payload: Allow Developer Options to be enabled on the Android Enterprise devices in Fully Managed mode. Configuring Windows (AIDC) Software Packages: Single use password is now issued and required for launching configuration utilities with software packages. Device Details: Device actions are now enabled or disabled based on the reporting of the enabler capabilities property. Data Repository Service: The DRS has been removed. File and OS Update payloads that used DRS will need to be updated to use the Central FileStore. Component Updates: Updated to Java 15 Updated to Tomcat 9.0.56 Fixes: Fix to address Remote Control service startup error when port 80 is blocked. Fix to address CVE-2021-30497 Fix to address ZDI-CAN-14123 Fix to address ZDI-CAN-14187 Fix to address ZDI-CAN-14188 Fix to address ZDI-CAN-15130 Fix to address ZDI-CAN-15137 Fix to address ZDI-CAN-15168 Fix to address ZDI-CAN-15169 Fix to address ZDI-CAN-15200 Fix to address ZDI-CAN-15217 Fix to address ZDI-CAN-15251 ******************************************************************************* ******************************************************************************* Release Information: Product: AvalanchePremise_6.3.2 Description: Avalanche Premise 6.3.2 for Windows Version: v6.3.2.3490 Notes: Avalanche 6.3.2 Release What’s New in This Version: Printer management. Discover printers in the warehouse and bring them under management with a streamlined, remote provisioning process. Once your printers are managed by Avalanche, push files and settings to them, receive real-time alerts from them, and view their status remotely. Velocity configuration manifests. Create Velocity manifests to distribute Velocity configuration files from the Central File Store to your Android Enterprise devices. NFC provisioning for Android Enterprise. Use NFC provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. QR code provisioning for Android Enterprise. Use QR code provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. Android Enterprise enabler customization. Use an Android Enterprise enabler customization payload to configure the appearance of the enabler. Credentials certificate payload for Android. Use credentials certificate payloads with Wi-Fi payloads to verify the user or server identity when connecting to enterprise networks with Android and Android Enterprise devices. Temporarily disable lock task mode. To ease troubleshooting, temporarily disable lock task mode on a device from the console or the enabler. Android Enterprise provisioning profile. Use Android Enterprise provisioning profiles to create provisioning QR codes. Scan a provisioning QR code to enroll new fully managed devices with a reduced amount of device interaction. Reboot Android devices from the Avalanche Console. Launch apps on install or reboot. When creating an Android Enterprise software payload, you can select to launch the app on install or reboot. This option is important for installing remote control software. Fixes: Fix: Removed drag and drop in the folder tree. Drag and drop will continue to function when applying Smart Device and Printer profiles. Fix: Custom property changes to an individual device in the device details will not update all devices that share the same custom property. ******************************************************************************* ******************************************************************************* Release Information: Product: AvalanchePremise_6.3.1 Description: Avalanche Premise 6.3.1 for Windows Version: v6.3.1.1507 Notes: Avalanche 6.3.1 Release New Features and Improvements: Android Enterprise Support *Support for Fully Managed and Dedicated Device (Kiosk) modes *File Payload *Restriction Payload (Fully Managed and Dedicated Device modes) *Disable factory reset from settings *Remove factory reset protection data *System Update Policy Payload (Fully Managed and Dedicated Device modes) *Wi-Fi Payload *Scan to enroll support using the device camera *Factory reset wipe command can remove factory reset protection data and wipe the SD card. *Log file retrieval from device *New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise UI performance and user experience *Load time improvements for Inventory, Profiles, and Rugged Device Details pages *Inventory page has been split to three tabs: Device Inventory, Server Inventory, and Mobile Device Groups *Smart Device Payloads have been moved to their own tab *All Smart Device Payloads have been redesigned from a dialog based UI to a modern page design *Smart Device Profile has been redesigned from a dialog based UI to a modern page design Velocity config support added for both Android and Android Enterprise management Create scan to enroll QR codes directly from Enrollment Rules UserVoice for Avalanche link UTC data model for custom columns to allow timestamp to be displayed as date and time. Fixes: Fix: Custom properties can now be saved in network and scan to configure profiles. Fix: Scan to configure, custom properties, and registry keys can now be edited after creation. Fix: Certificate Manager improvements ******************************************************************************* ******************************************************************************* Release Information: Product: AvalanchePremise_6.3.0 Description: Avalanche Premise 6.3.0 for Windows Version: v6.3.0.555 Notes: Avalanche 6.3.0 Release New Features and Improvements: Android Enterprise Work Profile Support *Create new or enroll an existing Google Play Android Enterprise account *Support for multiple enterprise accounts *Enrollment Rules reference Google Play Android Enterprise accounts *Passcode settings support for both Device and Work Profile *Support for Google Enterprise Play Store apps, including configuration *Runtime Permissions settings for Apps (Account wide for Google Enterprise or granular per app settings) *Lock, Unenroll, Delete Work Profile *New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise FCM Notification Service support Panasonic OS Updates APN Payload for Android License upgrade from 6.2 to 6.3 (requires a restart of the eserver) Subscription License support HTTP/HTTPS Webserver configuration added to install Prerequisite Software settings for Manifest URL Software Payloads Outgoing IP address of router is reported as IP address setting added to Smart Device Profile Removed: Compliance Payload (Compliance status is now based on Android Enterprise Passcode Compliance) Fixes: Fix: Improved CFS logging Fix: Certificate Manager settings on reboot Fix: CFS access token expiration extended Fix: Android App Name handling with special characters Fix: CFS access token renewal Fix: Reduction in SDS device sync time with selection criteria Fix: Accessing device details from search no longer causes an error Fix: AIDC software profile now shows correct package type ******************************************************************************* ******************************************************************************* Release Information: Product: AvalanchePremise_6.2.2 Description: Avalanche Premise 6.2.2 for Windows Version: v6.2.2.197 Notes: Avalanche 6.2.2 Release New Features and Improvements: License upgrade option added to the web console (6.2.2 Only) Removed: Removed support for Java 7, Java 8 is now required Fixes: Security Fixes for CVE-2018-8901 and CVE-2018-8902 Security Fixes for Remote Control Web UI including JQuery updates Fixes to Central File Store configuration page ******************************************************************************* ******************************************************************************* Release Information: Product: AvalanchePremise_6.2.0 Description: Avalanche Premise 6.2.0 for Windows Version: v6.2.0.602 Notes: Avalanche 6.2.0 Release Key New/Changed features Overview: Enrollment Enrollment rules now determine whether the enabler will use ANS or GCM as the notification service on android. A new type of enrollment rule has been created called a reference Enrollment Rule (Global Enrollment Rule) has been added that allows rules to be added at regions and deployed to multiple SDservers. You may add a folder that will be created and deployed at the root of all SDservers below the rules region. Broadcast to enroll When a enroll.prf file has been placed on the device with ‘broadcast’ as the server address, it will now perform a UDP broadcast to find a listening SDServer on the same subnet. Multiple Smart Device Servers The SDS node has been altered to have a local Inforail, SDServer, ANServer and File Store. In order to allow this, a SDServer profile has been created. SDS Profile The settings for the central SDS have been moved from the system settings page into a new Smart Device Server Profile. These include: APNS Cert, Google GCM Info, HTTPS Cert, SDS Public Address, Automatic Smart Device Check In, Smart Device Client Administrator Password. SDS Profiles Inheritance has changed, they will aggregate settings instead of overwriting. This allows you to set things like APNS, GCM and wildcard HTTPS certs at a higher level and have them set at lower SDS in the tree. You can then set specific settings such as the SDS public address, or check in times at a locally applied SDS profile. Device Folder Assignment setting allows the enrollment to be placed in a static folder or dynamically place based on folder selection criteria UDP Service Discovery allows the SDS to listen for enrollment broadcasts from the enabler. Central File Store These settings allow you to point to a file share. Files can be uploaded and managed via the Central File Store. You can then use these files in Android manifest URL software payloads, Android file payloads and Android OS Update payloads. Upon deployment of these payloads to an SDS the files will be cached in a file store local to the SDS. Implemented Zebra MX Extensions Now Android Agent applies StageNow config file “avamxmf.xml” placed specific location on SD card “/sdcard/Ivanti/MXMF” using MX framework. Log “MXMS configuration XML file applied successfully” will be displayed when MX config file applied. New Features and Improvements: Scalability - multiple SDS support Improved ANS reliability Distributed file caching Upgrade to Tomcat 8.5 Android device restrictions for post Kitkat devices Vendor specific enablers - Panasonic, Datalogic, Zebra GCM and ANS enabler functionality combined into single enabler Hide Google search box Zebra MX Extensions Reference (Global) enrollment rules Updated passcode payload Updated Restrictions payloads Restrict access to setting application Updated Application whitelisting Updated Application blacklisting Combined GCM and ANS enabler Device wiped if device admin is disabled Devices can broadcast to find their local Avalanche instance and enroll Set NTP server and time zone on device Ivanti Rebrand Removed: DEP Support (system settings and enrollment rule) VPP (Tools>VPP) Windows Phone 8 support (payloads, system settings) LDAP for Login and Enrollment + LDMS connection info (system settings) LDAP Enrollment (Enrollment rule) User Targeting (system settings, user tree) LD Portal (software payload deployment option, link payload deployment option) Media Payload Check for updates (Tools>Check for updates) Android Remote Control Settings (System Settings) Wavelink Remote Control Button in Inventory Page Tiny URL column on enrollment rule page Enabler: Home screen with Remote Control Server Address Enabler: About Screen Enabler: Remote Control capability Fixes: Fix: Improved data validation for java beans Fix: Manifest app installation in android client Fix: Improved functionality with self-signed certificates Fix: Deployments rolled back in large systems Fix: Devices Overwriting one another on Enroll Fix: IP Ranges in selection criteria were treated as a string and not numerically Fix: Data from other payloads sometimes displayed in a new payload

Related news

TellYouThePass Ransomware Group Exploits Critical PHP Flaw

An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.

Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans

The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based

CVE-2023-41726

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated

Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

Intel Data Center Manager 5.1 Local Privilege Escalation

The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.

CVE-2022-38765: Canon Medical Software Security Updates

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

CVE-2022-43484: CVE-2022-43484について

TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.

Iranian Hackers Compromised a U.S. Federal Agency’s Network Using Log4Shell Exploit

Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server. The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022

Joint Advisory AA22-279A and Vulristics

Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]

Exploit Attempts Underway for Apache Commons Text4Shell Vulnerability

The good news: The Apache Commons Text library bug is far less likely to lead to exploitation than last year's Log4j library flaw.

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-34102: Crestron Electronics, Inc.

Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage

A threat actor is said to have "highly likely" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector. The attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch

MobileIron Log4Shell Remote Command Execution

MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This Metasploit module will start an LDAP server that the target will need to connect to.

Apple Just Patched 37 iPhone Security Bugs

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

RHSA-2022:4880: Red Hat Security Advisory: ACS 3.70 enhancement and security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug fixes and feature improvements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23820: json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion

CVE-2022-28874: Security advisories

Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.

Spring4Shell Spring Framework Class Property Remote Code Execution

Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.

CVE-2021-3100: ALAS2-2021-1732

The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.

CVE-2022-22968: CVE-2022-22968 | Security

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Microsoft’s Response to CVE-2022-22965 Spring Framework

Summary Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907